BIND 10 trac1177, updated. 94fc0adc1b01f6a0632bb07a4c882e0cdf876741 [1177] Implement result statuses for DNSSEC
BIND 10 source code commits
bind10-changes at lists.isc.org
Thu Sep 8 09:58:50 UTC 2011
The branch, trac1177 has been updated
via 94fc0adc1b01f6a0632bb07a4c882e0cdf876741 (commit)
via eb64a4df2e3b5c509a3611282779e333dbc31fc3 (commit)
via d9fc1dbf6f63a93131cd78a11656cd150999d0fb (commit)
from e9eb3b16a185becb8b68c0f603ea919e301a9127 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 94fc0adc1b01f6a0632bb07a4c882e0cdf876741
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Thu Sep 8 11:57:44 2011 +0200
[1177] Implement result statuses for DNSSEC
commit eb64a4df2e3b5c509a3611282779e333dbc31fc3
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Thu Sep 8 11:42:20 2011 +0200
[1177] Tests for wildcard result codes
commit d9fc1dbf6f63a93131cd78a11656cd150999d0fb
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Thu Sep 8 11:30:13 2011 +0200
[1177] New Result statuses
To distinguish wildcard results, because then the logic will have to
query for another NSEC
-----------------------------------------------------------------------
Summary of changes:
src/lib/datasrc/database.cc | 50 ++++++++++++++++++++-------
src/lib/datasrc/tests/database_unittest.cc | 16 +++++----
src/lib/datasrc/zone.h | 21 +++++++++---
3 files changed, 62 insertions(+), 25 deletions(-)
-----------------------------------------------------------------------
diff --git a/src/lib/datasrc/database.cc b/src/lib/datasrc/database.cc
index 4832103..d7fb2f3 100644
--- a/src/lib/datasrc/database.cc
+++ b/src/lib/datasrc/database.cc
@@ -442,7 +442,8 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
// TODO What do we do about DNAME here?
static WantedTypes wildcard_types(empty_types +
RRType::CNAME() +
- RRType::NS());
+ RRType::NS() +
+ RRType::NSEC());
found = getRRsets(wildcard, wildcard_types + type, true,
&name);
if (found.first) {
@@ -469,6 +470,8 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
cni(found.second.find(RRType::CNAME()));
const FoundIterator
nsi(found.second.find(RRType::NS()));
+ const FoundIterator
+ nci(found.second.find(RRType::NSEC()));
const FoundIterator wti(found.second.find(type));
if (cni != found.second.end() &&
type != RRType::CNAME()) {
@@ -479,6 +482,24 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
result_status = DELEGATION;
} else if (wti != found.second.end()) {
result_rrset = wti->second;
+ result_status = WILDCARD;
+ } else {
+ // NXRRSET case in the wildcard
+ result_status = WILDCARD_NXRRSET;
+ if (dnssec_data &&
+ nci != found.second.end()) {
+ // User wants a proof the wildcard doesn't
+ // contain it
+ //
+ // However, we need to get the RRset in the
+ // name of the wildcard, not the constructed
+ // one, so we walk it again
+ found = getRRsets(wildcard, empty_types +
+ RRType::NSEC(), true);
+ result_rrset =
+ found.second.find(RRType::NSEC())->
+ second;
+ }
}
LOG_DEBUG(logger, DBG_TRACE_DETAILED,
@@ -516,18 +537,21 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
}
if (!result_rrset) {
- if (records_found) {
- logger.debug(DBG_TRACE_DETAILED,
- DATASRC_DATABASE_FOUND_NXRRSET)
- .arg(database_->getDBName()).arg(name)
- .arg(getClass()).arg(type);
- result_status = NXRRSET;
- } else {
- logger.debug(DBG_TRACE_DETAILED,
- DATASRC_DATABASE_FOUND_NXDOMAIN)
- .arg(database_->getDBName()).arg(name)
- .arg(getClass()).arg(type);
- result_status = NXDOMAIN;
+ if (result_status == SUCCESS) {
+ // Something is not here and we didn't decide yet what
+ if (records_found) {
+ logger.debug(DBG_TRACE_DETAILED,
+ DATASRC_DATABASE_FOUND_NXRRSET)
+ .arg(database_->getDBName()).arg(name)
+ .arg(getClass()).arg(type);
+ result_status = NXRRSET;
+ } else {
+ logger.debug(DBG_TRACE_DETAILED,
+ DATASRC_DATABASE_FOUND_NXDOMAIN)
+ .arg(database_->getDBName()).arg(name)
+ .arg(getClass()).arg(type);
+ result_status = NXDOMAIN;
+ }
}
} else {
logger.debug(DBG_TRACE_DETAILED,
diff --git a/src/lib/datasrc/tests/database_unittest.cc b/src/lib/datasrc/tests/database_unittest.cc
index 4d0f955..6bfaf11 100644
--- a/src/lib/datasrc/tests/database_unittest.cc
+++ b/src/lib/datasrc/tests/database_unittest.cc
@@ -1184,22 +1184,22 @@ TEST_F(DatabaseClientTest, wildcard) {
"12345 example.org. FAKEFAKEFAKE");
doFindTest(finder, isc::dns::Name("a.wild.example.org"),
isc::dns::RRType::A(), isc::dns::RRType::A(),
- isc::dns::RRTTL(3600), ZoneFinder::SUCCESS, expected_rdatas_,
+ isc::dns::RRTTL(3600), ZoneFinder::WILDCARD, expected_rdatas_,
expected_sig_rdatas_);
doFindTest(finder, isc::dns::Name("b.a.wild.example.org"),
isc::dns::RRType::A(), isc::dns::RRType::A(),
- isc::dns::RRTTL(3600), ZoneFinder::SUCCESS, expected_rdatas_,
+ isc::dns::RRTTL(3600), ZoneFinder::WILDCARD, expected_rdatas_,
expected_sig_rdatas_);
expected_rdatas_.clear();
expected_sig_rdatas_.clear();
doFindTest(finder, isc::dns::Name("a.wild.example.org"),
isc::dns::RRType::AAAA(), isc::dns::RRType::AAAA(),
- isc::dns::RRTTL(3600), ZoneFinder::NXRRSET, expected_rdatas_,
- expected_sig_rdatas_);
+ isc::dns::RRTTL(3600), ZoneFinder::WILDCARD_NXRRSET,
+ expected_rdatas_, expected_sig_rdatas_);
doFindTest(finder, isc::dns::Name("b.a.wild.example.org"),
isc::dns::RRType::AAAA(), isc::dns::RRType::AAAA(),
- isc::dns::RRTTL(3600), ZoneFinder::NXRRSET, expected_rdatas_,
- expected_sig_rdatas_);
+ isc::dns::RRTTL(3600), ZoneFinder::WILDCARD_NXRRSET,
+ expected_rdatas_, expected_sig_rdatas_);
// Direct request for thi wildcard
expected_rdatas_.push_back("192.0.2.5");
@@ -1301,6 +1301,8 @@ TEST_F(DatabaseClientTest, wildcard) {
isc::dns::RRType::A(), isc::dns::RRTTL(3600),
ZoneFinder::NXRRSET, expected_rdatas_,
expected_sig_rdatas_);
+ // FIXME: What should be returned in this case? How does the
+ // DNSSEC logic handle it?
}
}
@@ -1337,7 +1339,7 @@ TEST_F(DatabaseClientTest, wildcardNXRRSET_NSEC) {
doFindTest(finder, isc::dns::Name("a.wild.example.org."),
isc::dns::RRType::TXT(), isc::dns::RRType::NSEC(),
isc::dns::RRTTL(3600),
- ZoneFinder::NXRRSET,
+ ZoneFinder::WILDCARD_NXRRSET,
expected_rdatas_, expected_sig_rdatas_,
Name("*.wild.example.org"), ZoneFinder::FIND_DNSSEC);
}
diff --git a/src/lib/datasrc/zone.h b/src/lib/datasrc/zone.h
index e65ea23..0cbad6a 100644
--- a/src/lib/datasrc/zone.h
+++ b/src/lib/datasrc/zone.h
@@ -61,15 +61,23 @@ public:
///
/// Note: the codes are tentative. We may need more, or we may find
/// some of them unnecessary as we implement more details.
+ ///
+ /// Some are synonyms of others in terms of RCODE returned to user.
+ /// But they help the logic to decide if it should ask for a NSEC
+ /// that covers something or not (for example, in case of NXRRSET,
+ /// the directly returned NSEC is sufficient, but with wildcard one,
+ /// we need to add one proving there's no exact match and this is
+ /// actually the best wildcard we have). Data sources that don't
+ /// support DNSSEC don't need to distinguish them.
enum Result {
SUCCESS, ///< An exact match is found.
DELEGATION, ///< The search encounters a zone cut.
NXDOMAIN, ///< There is no domain name that matches the search name
NXRRSET, ///< There is a matching name but no RRset of the search type
CNAME, ///< The search encounters and returns a CNAME RR
- DNAME ///< The search encounters and returns a DNAME RR
- // TODO: Add WILDCARD here so we can request covering NSEC
- // TODO: Add WILDCARD_NXRRSET for the same reason
+ DNAME, ///< The search encounters and returns a DNAME RR
+ WILDCARD, ///< Succes by wildcard match, for DNSSEC
+ WILDCARD_NXRRSET ///< NXRRSET on wildcard, for DNSSEC
};
/// A helper structure to represent the search result of \c find().
@@ -176,8 +184,8 @@ public:
/// We should revisit the interface before we heavily rely on it.
///
/// The \c options parameter specifies customized behavior of the search.
- /// Their semantics is as follows:
- /// - \c GLUE_OK Allow search under a zone cut. By default the search
+ /// Their semantics is as follows (they are or bit-field):
+ /// - \c FIND_GLUE_OK Allow search under a zone cut. By default the search
/// will stop once it encounters a zone cut. If this option is specified
/// it remembers information about the highest zone cut and continues
/// the search until it finds an exact match for the given name or it
@@ -185,6 +193,9 @@ public:
/// RRsets for that name are searched just like the normal case;
/// otherwise, if the search has encountered a zone cut, \c DELEGATION
/// with the information of the highest zone cut will be returned.
+ /// - \c FIND_DNSSEC Request that DNSSEC data (like NSEC, RRSIGs) are
+ /// returned with the answer. It is allowed for the data source to
+ /// include them even when not requested.
///
/// A derived version of this method may involve internal resource
/// allocation, especially for constructing the resulting RRset, and may
More information about the bind10-changes
mailing list